I've been looking for a way to authenticate users through PAM using a
Python script. I didn't find any so I wrote my own. I call it using
a pam.conf line such as this.
auth required pam_python.so test --foo=bar --blah=123
I wrote pam_python.so in C. It passes on calls to pam_sm_authenticate,
pam_sm_setcred, etc. to the "pam_handler" function in a Python script
specified as the first argument ("test" -> "test.py"). The pam_handler
script is called with the name of the function it's handling
("pam_sm_authenticate"), and the options given in the PAM configuration.
It parses the options and then calls the appropriate function.
I still haven't decided how to handle calls such as pam_get_user() (to
get the user ID). Right now I'm running it in the C program and then
passing it to pam_handler. I'd rather give the Python script a way to
call such routines as they're needed. That'll take some more wrapping.
Anyway...I'm not thrilled with how I'm doing this, so I thought I'd
check to see if anyone has strong feelings about the One True Way that
this should be done.
Suggestions?
Thank you.
--kyler